CVE-2012-1012
Published: 7 June 2012
server/server_stubs.c in the kadmin protocol implementation in MIT Kerberos 5 (aka krb5) 1.10 before 1.10.1 does not properly restrict access to (1) SET_STRING and (2) GET_STRINGS operations, which might allow remote authenticated administrators to modify or read string attributes by leveraging the global list privilege.
Notes
Author | Note |
---|---|
sbeattie | only affects 1.10, also nothing in the core code uses string attributes yet |
Priority
Status
Package | Release | Status |
---|---|---|
krb5 Launchpad, Ubuntu, Debian |
upstream |
Released
(1.10.1+dfsg-1)
|
hardy |
Not vulnerable
(1.10 only)
|
|
lucid |
Not vulnerable
(1.10 only)
|
|
natty |
Not vulnerable
(1.10 only)
|
|
oneiric |
Not vulnerable
(1.10 only)
|
|
precise |
Released
(1.10+dfsg~beta1-2ubuntu0.3)
|
|
Patches: upstream: http://anonsvn.mit.edu/viewvc/krb5/trunk/src/kadmin/server/server_stubs.c?r1=25704&r2=25703&pathrev=25704 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1012
- https://bugzilla.redhat.com/show_bug.cgi?id=796438
- http://web.mit.edu/kerberos/krb5-1.10/
- http://src.mit.edu/fisheye/changelog/krb5/?cs=25704
- http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=7093
- https://ubuntu.com/security/notices/USN-1520-1
- NVD
- Launchpad
- Debian